import "elf"

rule unixredflags3 {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Hunts for UNIX red flags"
  strings:
    $shadow = "shadow"
    $useradd = "useradd"
    $ldsoconf = "ld.so.conf"
    $uname = "uname"
    $sudo = "sudo"
    $find = "find"
    $cron = "cron"
    $iptables = "iptables"
    $bashhistory = ".bash_history"
    $devshm = "/dev/shm"
    $proc = "/proc"
    $opt = "/opt"
    $tmp = "/tmp"
    $libca = "libc.a"
    $text = ".text"
    $data = ".data"
  condition:
    ($shadow or $useradd or $ldsoconf or $uname or $sudo or $find or $cron or $iptables or $bashhistory or $devshm or $proc or $opt or $tmp) and ((elf.number_of_sections >= 1) or ($libca and $text and $data))
}
